Online secure device provisioning framework

US 9,130,928 B2
Filed: 04/15/2011
Issued: 09/08/2015
Est. Priority Date: 04/15/2010
Status: Active Grant

First Claim

Patent Images

1. A method for updating network-enabled devices with new identity data, comprising:

collecting a first identifier for each network-enabled device from a first database and a second identifier for each network-enabled device from a second database;

consolidating into a whitelist the first and second identifiers associated with network-enabled devices that are authorized to be upgraded with new identity data;

generating a plurality of new identity data records;

encrypting the plurality of new identity data records at an identity generation system that is separate from the network-enabled devices using a key previously installed in each respective network-enabled device to produce encrypted new identity data records;

loading the encrypted new identity data records onto an update server;

receiving at the update server a request for new identity data from at least one network-enabled device having a previously assigned identity linked to the first identifier;

authorizing the at least one network-enabled device for the new identity data based on the whitelist;

linking the previously assigned identifier to a new identifier linked to one of the encrypted new identity data records; and

securely delivering one or more encrypted new identity data records to the network-enabled device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for updating network-enabled devices with new identity data includes generating a plurality of new identity data records and loading the new identity data records onto an update server. A request is received at the update server for new identity data from at least one network-enabled device having a previously assigned identity linked to an identifier. The previously assigned identifier is linked to a new identifier that is linked to one of the new identity data records. One or more new identity data records are securely delivered to the network-enabled device.

34 Citations

View as Search Results

28 Claims

1. A method for updating network-enabled devices with new identity data, comprising:
- collecting a first identifier for each network-enabled device from a first database and a second identifier for each network-enabled device from a second database;
  
  consolidating into a whitelist the first and second identifiers associated with network-enabled devices that are authorized to be upgraded with new identity data;
  
  generating a plurality of new identity data records;
  
  encrypting the plurality of new identity data records at an identity generation system that is separate from the network-enabled devices using a key previously installed in each respective network-enabled device to produce encrypted new identity data records;
  
  loading the encrypted new identity data records onto an update server;
  
  receiving at the update server a request for new identity data from at least one network-enabled device having a previously assigned identity linked to the first identifier;
  
  authorizing the at least one network-enabled device for the new identity data based on the whitelist;
  
  linking the previously assigned identifier to a new identifier linked to one of the encrypted new identity data records; and
  
  securely delivering one or more encrypted new identity data records to the network-enabled device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1 wherein the devices in the plurality of network-enabled devices authorized to be upgraded are authorized to be updated with new identity data by a service provider, said plurality of network-enabled devices being a subset of all network-enabled devices serviced by the service provider.
  - 3. The method of claim 2 wherein the devices in the subset of all devices are all of a common type.
  - 4. The method of claim 1 wherein the devices in the plurality of devices to be upgraded are devices whose respective users requested an update.
  - 5. The method of claim 1 wherein the devices in the plurality of devices to be upgraded receive authorization to be updated based on one or more factors selected from the group consisting of device customer, device type, and a region where authorized devices are deployed.
  - 6. The method of claim 1 wherein generating the new identity data record is performed for a specific network-enabled device based on the previously assigned identifier for the specific network-enabled device.
  - 7. The method of claim 1 wherein encrypting the new identity data is performed before the request for new identity data is received.
  - 8. The method of claim 1 wherein encrypting the new identity data is performed when the request for new identity data is received.
  - 9. The method of claim 8 wherein the network-enabled device has a plurality of previously assigned identifiers, an identifier associated with a first encryption type being linked to identity data previously installed on the network-enabled device, the identifier associated with the first encryption type being linked with a previously installed identity data record.
  - 10. The method of claim 9 wherein the new identifier is an identifier associated with a second encryption type, the identifier associated with the second encryption type being extracted from the network-enabled device and stored in a database during factory provisioning.
  - 11. The method of claim 9 further comprising loading a whitelist onto the update server, said whitelist including a previously assigned identifier associated with the first encryption type for each of the network-enabled devices that are authorized to be provisioned with new identity data and a previously assigned identifier associated with the second encryption type for each of the one or more of the network-enabled devices that are authorized to be provisioned with new identity data.
  - 12. The method of claim 11 further comprising establishing the whitelist by correlating a previously assigned identifier associated with third encryption type for each of the network-enabled devices authorized to be provisioned with respective ones of the identifiers of the first and second encryption types and further comprising tracking device inventory based on the previously assigned identifier associated with the third encryption type.
  - 13. The method of claim 12 wherein the identifier associated with the third encryption type is used as the new identifier.
  - 14. The method of claim 1 wherein the identity data includes a device digital certificate chain and a private key.

15. An identity management system, comprising:
- an identity data generator, separate from a plurality of network-enabled devices configured to generate a plurality of new identity data records and encrypt the new identity data records using a key previously installed in each of the plurality of network-enabled devices to produce encrypted new identity data records;
  
  a whitelist manager configured to (i) receive two or more identifiers associated with each of the plurality of network-enabled devices deployed for use in association with a network, the two or more identifiers received from different entities, an identifier associated with a first encryption type being received from a first entity indicating that the network-enabled device associated with the identifier is authorized to receive new identity data and (ii) produce a whitelist relating the two or more identifiers to each of the network-enabled device that are authorized to receive new identity data, wherein at least one of the identifiers associated with each network-enabled device is a previously assigned identifier;
  
  an update server configured to (i) receive the new identity data records from the identity data generator, (ii) receive requests for new identity data from the plurality of network-enabled devices (iii) authenticate each of the network-enabled devices and (iv);
  
  deliver an encrypted new identity data record to each one of the authenticated network-enabled device that are authorized to receive a new identity data record in accordance with the whitelist, said new identity data record being linked to the previously assigned identifier of the authenticated network-enabled device.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22)
- - 16. The identity management system of claim 15 wherein the update server is further configured to bind the previously assigned identifier to the new identity data record based on the whitelist.
  - 17. The identity management system of claim 15 wherein the identity data generator is further configured to bind the previously assigned identifier to the new identity data record based on the whitelist.
  - 18. The identity management system of claim 15 wherein the authorization of network-enabled devices to receive new identity data is based on the whitelist.
  - 19. The identity management system of claim 15 wherein the previously assigned identifier linked to the new identity data record is an identifier assigned by a device manufacturer.
  - 20. The identity management system of claim 15 wherein the previously assigned identifier linked to the new identity data record is an identifier assigned by a network operator who deployed the network-enabled devices.
  - 21. The identity management system of claim 15 wherein the first entity is a network operator who deployed the network-enabled device.
  - 22. The identity management system of claim 21 wherein a second of the two or more identifiers are received from a manufacturer of the network-enabled device.

23. An identity data management system, comprising:
- two or more databases storing at least two identifiers associated with a plurality of network-enabled devices, a first and second of the two identifiers being identifiers of a first and second encryption type, respectively, a first database of the two or more databases storing the first identifiers, a second database of the two or more databases storing the second identifiers;
  
  a whitelist manager for receiving a first set of data specifying one or more of the network-enabled devices that are authorized to be updated with new identity data, wherein the one or more network-enabled devices are identified in the first set of data by identifiers of the first encryption type, wherein the whitelist manager is configured to access the first and second databases to retrieve identifiers of the first and second encryption type which correspond to the identifiers of the first encryption type included in the first set of data and to establish a whitelist that includes corresponding identifiers of the first and second encryption type and to deliver said whitelist to an identity data generator and to an update server;
  
  an identity data generator, separate from the plurality of network-enabled devices, configured to generate identity data records that are each identified by an identifier associated with the second encryption type, said generated identity records being generated for network-enabled devices specified on the whitelist received from the whitelist manager, wherein the identity data generator is further configured to associate the identity data records with the whitelist and encrypt the identity data records using a key previously installed in each of the network-enabled devices specified on the whitelist to produce encrypted new identity data records; and
  
  an update server configured to receive over a communications network a request for new identity data from a deployed network-enabled device, and, said update server being further configured to send the encrypted new identity data records to the deployed network-enabled devices respectively identified by identifiers of the first encryption type in the whitelist and in data received from the identity data generator.
- View Dependent Claims (24, 25)
- - 24. The identity data management system of claim 23 wherein the plurality of network-enabled devices are associated with at least three identifiers, the whitelist manager being further configured to establish the whitelist so as to include an identifier associated with a third encryption type associated with each of the network-enabled devices.
  - 25. The identity data management system of claim 23 wherein the identity data records and the data specifying identifiers of the second encryption type are both received from the identity data generator in an off-line manner.

26. At least one non-transitory computer-readable medium encoded with instructions which, when executed by a processor, performs a method for updating network-enabled devices with new identity data, each of said network-enabled devices having at least two encryption types of identifiers associated therewith, comprising:
- receiving over a communications network a plurality of requests for new identity data for a plurality of network-enabled devices, each of said requests including an identifier associated with a second encryption type associated with the network-enabled devices;
  
  obtaining an identifier associated with a first encryption type associated with each of the network-enabled devices, said first identifier encryption type being an identifier that is included in identity data with which the network-enabled device is currently provisioned, wherein the network-enabled devices have previously been provisioned with identifiers of the first encryption type by respectively assigning the identifiers of the first encryption type to network-enabled devices that are already identified by identifiers of the second encryption type;
  
  receiving new identity data assigned with new identifiers of the second encryption type, wherein each of the new identifiers is matched with a corresponding identifier associated with the first encryption type;
  
  encrypting the new identity data at an identity generation system that is separate from the network-enabled devices using a key previously installed in each of the network-enabled devices to produce encrypted new identity data;
  
  delivering over the communications network the encrypted new identity data to respective ones of the network-enabled devices in accordance with their respective second identifiers.
- View Dependent Claims (27, 28)
- - 27. The computer-readable medium of claim 26 further comprising receiving a whitelist to obtain the identifier associated with the first encryption type and to receive the new identifier matched with the corresponding identifier associated with the first encryption type, said whitelist providing authorization to provision the network-enabled devices with new identity data.
  - 28. The computer-readable medium of claim 27 further comprising establishing the whitelist by correlating a previously assigned identifier associated with a third encryption type for each of the network-enabled devices authorized to be provisioned with respective ones of the identifiers of the first and second encryption types and further comprising tracking device inventory based on the previously assigned identifier associated with the third encryption type.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Original Assignee
Google Technology Holdings LLC (Alphabet Inc.)
Inventors
Qiu, Xin, Medvinsky, Alexander, Moskovics, Stuart P., Pasion, Jason A., Sprunk, Eric J., Wang, Fan, Yao, Ting
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
GYORFI, THOMAS A

Application Number

US13/087,847
Publication Number

US 20110258685A1
Time in Patent Office

1,607 Days
Field of Search

726/5, 713/176
US Class Current

1/1
CPC Class Codes

G06F 21/572   Secure firmware programming...

H04L 2463/102   applying security measure f...

H04L 63/06   for supporting key manageme...

H04L 63/0823   using certificates cryptogr...

Online secure device provisioning framework

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

34 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Online secure device provisioning framework

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links